Microsoft admits reading blogger's Hotmail as part of leak investigation

Microsoft has defended what it calls the "extraordinary action" of conducting a "limited review" of a blogger's Hotmail account as part of an investigation into a software leak.

The company admitted that it had read the unknown blogger's email in order to identify an employee suspected of selling its intellectual property without permission.

In a court filing dated 17 March 2014, Microsoft alleges that an ex-employee, Alex Kibkalo, had transmitted trade secrets to an unnamed technology blogger residing in France.

Kibkalo is believed to have uploaded "pre-release software updates for Windows 8 RT and ARM devices, as well as the Microsoft Activation Server Software Development KIT (SDK)" to a device in Redmond, as well as his own personal Windows SkyDrive account.

The trail from French blogger to Kibkalo

Microsoft had been aware of the unnamed French blogger for some time, having noticed his penchant for posting pre-release screenshots and news to both his own websites and his Twitter account.

Trustworthy Computing Investigations (TWCI), an internal Microsoft division with responsibility for protecting the company from external threats, attempted to identify the blogger but had little success.

In fact, TCWI was not even sure whether the blogger was himself an employee of Microsoft, or an external party collecting information from an insider.

On 3 September 2012, however, a source asking for anonymity contacted Steven Sinofsky, former President of the Windows Division of Microsoft, saying they had been sent proprietary Microsoft code by the blogger.

The anonymous tipster also revealed to Microsoft how the blogger had made contact via a Hotmail email address. Microsoft was able to confirm its ownership of the code and subsequently gained permission from Microsoft's Office of Legal Compliance (OLC) to access the blogger's Hotmail account.

The ensuing investigation discovered an email from Kibkalo which, allegedly, confirms that he shared confidential Microsoft data, including six zip files of pre-release "hot fixes" for Windows 8 RT, despite the fact that the operating system had not even been released at that time.

Further investigation allegedly revealed that Kibkalo had also shared the Activation Server SDK, as well as instant messages with the blogger in which they had discussed how best to share data between themselves.

As for the motives behind this case, the 17 March 2014 court filing alleges that the blogger confessed to selling the company's intellectual property:

During his interview, the blogger admitted to posting information on Twitter and his websites, knowingly obtaining confidential and proprietary Microsoft IP from Kibkalo, and selling Windows Server activation keys on eBay.

The same document also says:

In 2012, Kibkalo received a poor performance review and threatened to resign if the review was not amended. Kibkalo was advised that the review would not be changed and that he needed to provide a formal resignation letter.

Kibkalo was interviewed by Microsoft TWCI over two days. He acknowledged leaking confidential and proprietary Microsoft information, products and product-related information to the blogger.

Kibkalo also allegedly admitted to communicating with the blogger 3 or 4 times a week for several months and confirmed that he leaked information via his SkyDrive account.

Privacy implications

Despite what may end up being a successful legal outcome for Microsoft, the company has come under some flak due to the privacy implications of reading the content of messages sent via its Hotmail (now called Outlook.com) service.

The search itself was legal – Microsoft's terms of service says that the company can access any information stored on any of its "Communication Services", including email, forums and any other communication mediums:

Microsoft reserves the right to review materials posted to the Communication Services and to remove any materials in its sole discretion.

John Frank, Deputy General Counsel & Vice President, Legal & Corporate Affairs, Microsoft, confirmed that the company's actions were within the law but suggested that lessons could be learned.

Frank said that Microsoft "understand[s] the concerns that people have" and added that the company would, in the future:

not conduct a search of a customer's email or any other service unless such an action would justify a court order

rely on a legal team not connected to any investigation to ensure that any action taken would only occur in situations where a crime was suspected and a court order could realistically be obtained, and in conjunction with the support of an independent attorney with prior experience as a federal judge

confine any searches solely to the investigation at hand, under supervision from legal counsel

biannually publish data pertaining to how many customer accounts had been affected by searches, as well as the number of such incursions.